Former Director of FTC’s Consumer Unit Discusses Picking Battles

Companies are grappling with how to use consumer data to make customer relationships more profitable, without getting slapped with Federal Trade Commission enforcement actions. As director of the agency’s Consumer Protection Bureau from 2009 until 2013, David Vladeck ramped up enforcement actions on privacy issues, bringing cases against tech giants like Google Inc. and Facebook Inc. He is now a professor at Georgetown Law. Risk & Compliance Journal asked Mr. Vladeck how the agency picked its battles and what new actions could be coming soon.

This interview has been condensed and edited for clarity and length.

How did the enforcement culture change at the FTC during your tenure?

Mr. Vladeck: Let me preface this by saying my predecessor was terrific and the agency was poised to do all these things. I have a real emphasis on enforcement as a way of affecting policy. Part of it is timing. By the time we got there, mobile phones were starting to be ubiquitous. And the privacy issues people have always forecasted, with the wholesale use of the Internet, were then germane and ripe.

We did not have technologists on staff at the time and to do highly technical cases of the kind that we did during my tenure there, and doing still today, you need sophisticated forensic work. One of the things we did was bring in technologists to have on staff. We set up a laboratory to do forensic work on mobile devices. You need to have people who can view evidence captures on mobile devices and really understand the ecosystem behind the screen. I think we were the first civil law enforcement agency anywhere that had a fully functioning lab for mobile devices.

Why is the FTC placing more emphasis on enforcing data privacy?

Mr. Vladeck: The FTC had been involved with privacy for quite some time. The problem was that the previous framework the agency had used was notice and choice. And that’s very dependent on people reading written contracts, which just didn’t map on well to the new environment of the Internet.

For example, one of the early cases, pending before I arrived at the agency, was a case against Sears. Sears induced consumers [to download tracking software] by paying them $10 on the theory that this would allow Sears to provide better service to customers. But what Sears was doing was capturing everything customers did online, including passwords, bank accounts and prescription drug information. Buried in the contract on page eight or nine of this was essentially a statement that we’re going to capture all your data. We brought a deception case because it would have been completely unreasonable for a consumer that was told that Sears is doing this to enhance their services, to know Sears is going to be downloading everything they do on the Internet. The point is you can’t bury things in a way that isn’t clear in a long contract.

What are other cases that you thought set a tone for online and mobile privacy?

Mr. Vladeck: In terms of basic privacy protection [cases against] Google and Facebook. Both involved what we said were the same deceptive conduct. In both instances companies made promises that information would not be disclosed to third parties beyond what consumers had consented to. In both instances Google in its rollout of Buzz and Facebook when it changed considerably its privacy policies, ended up disclosing private information to third parties without consumer consent. And we said you can’t do that. Those orders were really innovative and really important.

One of the questions you have as a regulator is you want to get at this bad conduct. But you don’t want to stifle companies from continuing to innovate. So if you look at our orders they consist of four basic points 1) thou shalt not lie to consumers 2) if you are going to engage in disclosures to third parties but you haven’t gotten consumer consent, you first need to notify them and you need to get their affirmative, express consent before engaging in information sharing. And if the consumer says no, you can’t do it. 3) We want you to design a privacy protection policy that covers your entire business. And every other year we want you to hire an outside auditor and do a top to bottom audit to make sure you are complying with the policy, and you have to give it to us. 4) This had to do with the EU — if you are going to engage in cross border transfers you have to abide by the laws on safe harbor.

These orders don’t tell Google and Facebook how to run their businesses. It requires them to have a program in place in which privacy is not an afterthought but is embedded into their approach.

Would you say those recommendations are good for any large company?

Mr. Vladeck: Yes and we proselytized on that. One of the reasons we designed the orders the way we did is we think every company ought to adhere to these. One of the things that’s really interesting is many companies are on their own internalizing that advice because it’s the right thing to do. And if the FTC comes knocking, it shows they are at least trying to grapple with some of the tricky privacy issues of our time.

What kinds of privacy cases do you think the FTC is likely to pursue most aggressively?

Mr. Vladeck: I think the FTC has put everyone on notice with the Apple announcement that the agency doesn’t want companies taking advantage of the fact that young kids are now using smartphones. And children’s privacy is going to stay on the forefront. There is great concern about children’s apps over-collecting data.

And data brokers. Given the increasing use of large aggregations of data, we need to inject some real transparency into the data broker business. Many members of congress have picked up the issue and the agency is going to issue a report on data brokers, which may be a signal the agency is going to be very carefully scrutinizing them. People engaged in profiling huge stores of data that’s identifiable to individuals are going to have to be good stewards.

What should compliance attorneys in charge of privacy have as highest priorities?

Mr. Vladeck: Three points. 1) The fact that they work for companies interested in compliance is a great start. One generalization I will make from my experience is the companies that had the worst problems often didn’t have a dedicated chief privacy officer or people within management personally accountable for privacy. 2) Many firms have not taken data security seriously enough. The problem we see repeatedly is that too many firms–including firms with huge reputational interests–don’t do a good job being stewards of the information they have. 3) Extend more the security you have over children’s online privacy. You should put yourself in the position if this were my data how would I want it treated, or better yet if it was your kids’ data.

About Law Blog

The Law Blog covers the legal arena’s hot cases, emerging trends and big personalities. It’s brought to you by lead writer Jacob Gershman with contributions from across The Wall Street Journal’s staff. Jacob comes here after more than half a decade covering the bare-knuckle politics of New York State. His inside-the-room reporting left him steeped in legal and regulatory issues that continue to grab headlines.

A federal judge in Manhattan rejected a bid by the conservative advocacy group Citizens United to stop New York Attorney General Eric Schneiderman from requiring that charities disclose to him their major donors.

Concerns about a gender gap in the legal profession tend to focus on issues like pay, billing rates and who makes partner. A new study by the American Bar Association looks inside the federal courtroom to see who's trying cases.